30 March 2014

The past four days participating in Alaska Shield of the National Level Exercise Capstone 2014 is a stark reminder of how far we have come and yet how far we still have to go. Operational Risk Management (ORM) is evolving into a discipline with an over arching set of objectives. The organizations and entities that do not understand the purpose and the reason behind, having SMART objectives, might need a refresher:

Simple

Measurable

Achievable

Realistic

Task-oriented

Without "SMART" objectives, any project will continue to strive for a purpose and a relevant set of outcomes. Constituents, stakeholders and various affected employees that intersect with an internal risk mitigation exercise, will continuously require coaching on how to base the project on "SMART" objectives.

Next, the stakeholders will require a path forward that includes a building block approach to gaining consensus, agreement and a set of written events that will either be simulated or real. These events comprise a master scenario, that the organization will utilize to test a hypothesis or set of operational capabilities. The high reaching outcome, is to determine where there are gaps, vulnerabilities and opportunities to improve.

The building blocks approach may include:

Seminars

Workshops

Table Top Exercises

Games

These provide the stakeholders with the opportunity to converge on their respective areas of expertise and integrate them with the overall scenario being developed. However, these are still based upon first identifying the "SMART Objectives" and the application to your particular business, organization, city, state or country.

Taking the foundation of Operational Risk Management and applying a process for evaluation, requires a set of standards so all of the respective constituents, will be talking and practicing from the same exercise play book. In the United States this standard is HSEEP or "Homeland Security Exercise and Evaluation Program":

The Homeland Security Exercise and Evaluation Program (HSEEP) is a capabilities and performance-based exercise program that provides a standardized methodology and terminology for exercise design, development, conduct, evaluation, and improvement planning.

The Homeland Security Exercise and Evaluation Program (HSEEP) constitutes a national standard for all exercises. Through exercises, the National Exercise Program supports organizations to achieve objective assessments of their capabilities so that strengths and areas for improvement are identified, corrected, and shared as appropriate prior to a real incident.

Whether your organization is new to doing functional or full-scale exercises doesn't matter. Having a process oriented model for program management and project management will provide you with the tools and the foundation to achieve new found learning on where and how to improve your enterprise resilience.

Operational Risk Management professionals are working with an organization or population that is constantly striving to be more resilient. Without testing, without exercising and without the process framework in place to try and achieve measurable objectives, the organization will never gain the vital insight on where and how it can improve rapidly. It will never fully understand where the enemy will try and exploit the weaknesses. The organization will never realize their resilience factor at this point in time.

When was the last time your organization really tested itself, to survive? How long has it been since you re-established the relationships and the trusted connections with your own supply chain? Why has it been that long? There are some elite organizations in the world who understand readiness, that have learned along the way of their evolution why exercising and a trusted supply chain is critical to their own survival before the next incident occurs:

To become a SEAL in the Naval Special Warfare/Naval Special Operations (NSW/NSO) community, you must first go through what is widely considered to be the most physically and mentally demanding military training in existence. Then comes the tough part: the job of essentially taking on any situation or foe that the world has to offer.

Direct action warfare. Special reconnaissance. Counterterrorism. Foreign internal defense. When there’s nowhere else to turn, Navy SEALs are in their element. Achieving the impossible by way of conditioned response, sheer willpower and absolute dedication to their training, their missions and their fellow spec ops team members.

This analogy to the Navy SEALs demonstrates that preparedness long before you are asked to test your own resilience, will save lives. Yet there are so many other ways that our planet and the people on it, are being tested every day outside of the context of counterterrorism or national defense missions.

"Mother Nature" and the magnitude by which she continues to unleash her strength and in many cases her unrelenting path to destruction (hurricanes, earthquakes, drought, pandemic) makes any organization vulnerable and any population exposed to substantial operational risks:

The IDRN is the official arm of the Starfish Community for responding to disasters around the world. No single organization has the resources to respond to every disaster event, but because of the partnerships within the Starfish Community, members are able to leverage the strength of the entire network to provide meaningful help to those in need.

Every event is different in location, scope and impact. As different Starfish Community members decide whether or not to respond to any single event, those individuals and/or organizations that choose to respond, can pull together and collaborate with other Starfish Community members through the International Disaster Response Network which is often referred to as the IDRN.

Because disaster response conversations are so specific and time-sensitive, the IDRN has its own dedicated website for sharing information and managing collaboration. It can be found online at: www.idrn.info.

When you think about resilience in the context and relevance of the threats before us, we all have to realize that whether it is the National Level Exercise (NLE), US Navy SEALs or the Starfish Community, only SMART objectives will increase our ability to learn, to save lives and allow for the potential survivability of our organizations or impacted populations.

16 March 2014

The international spectrum of Operational Risk Management (ORM) is playing out before us on a global stage. A missing Malaysia Airlines 777 for over 7 days is now considered a deliberate act of human behavior, not an accident. Nation states and the airline industry are in full crisis management collaboration. What will happen when it is found, or detected flying on a new route?

A U.S. government agency, in the Department of Commerce (NTIA), is transitioning control of the Internet's Domain Name System root zone file to ICANN (Think United Nations of the Internet). Is this international fallout, from greater transparency of U.S. Intelligence operations, by the National Security Agency (NSA)? Probably not.

And while all of this, is distracting our attention, the operational risks associated with volatility on a financial world stage continues to unfold:

International use of the yuan is increasing as China opens up its capital markets. A third of China’s trade will be settled in yuan by 2015 and the currency will be fully convertible within five years, HSBC forecast in a report last year. The yuan surpassed the euro as the world’s second most-popular currency in trade finance in 2013.

What will the future hold for global business commerce and the emerging regions of conflict? Syria. Ukraine. Russia. Iraq. Afghanistan.

KABUL, AFGHANISTAN – In his final address to Afghanistan's parliament Saturday, President Hamid Karzai told the United States its soldiers can leave at the end of the year because his military, which already protects 93 percent of the country, was ready to take over entirely.

This is where our next generation of "Operational Risk Specialists" will come from, to assist us in our most challenging future of global incidents, crisis and humanitarian requirements.

Yet these million men and women will be competing in an economy that is ultra-competitive. There are however, innovative ways for us to hedge the risks for U.S. veterans as they look for their next mission in the private sector. The first step is an old and very effective method called mentoring.

It would be in the best interest of the private sector in a world that is challenged by so much change, volatility and uncertainty to have a cadre of "Operational Risk Specialists" who are there at a moments notice. Working 24 x 7 in concert with all critical business functions, to enhance the resilience of the enterprise. Yet it will take thousands of mentors to assist these veterans, as they transition to this important role and mission.

Are you a CxO that relies now on a small team of risk minded people, tasked with your supply chain, personnel security, information security, facilities or even insider incidents? You are the perfect catalyst to get a new program going at your organization. Begin the process of identifying and tasking the right people in your organization, to be mentors for the new "Operational Risk Specialists," that you should hire over the next few years.

What would happen, if you created a whole new way for you to mentor, hire, mentor, train, mentor and grow, a new generation of risk management professionals for your organization? How could the performance and the resiliency of your enterprise improve, with the ongoing mentoring of veterans as they begin to understand the business of the private sector. A different and yet similar environment for the management of operational risks.

Your vision should be to create a "VetAccelerator" for each of your organizational business units. To engage mentors with new veterans returning and transitioning from over a decade of war. We have done this before in our U.S. history and it will not be the last. Let all of us embrace the opportunity to strengthen our business engine and to improve our resilience in the new world order.

Finally, never forget how all of this latest chapter started. And how it still continues to play out on a daily basis. Our vigilance is an imperative and veterans will be our "Operational Risk Specialists" for years to come.

01 March 2014

The 2014 RSA Conference USA is complete and yet what have we learned? Operational Risk Management (ORM) is still top of mind from the "Board Room" to the back office. The mitigation strategies are permeating the 3rd Party supply chain, as management realizes that operational risks really do exist with partners and suppliers. By now the RSA attendees are reviewing their notes, connecting with people on LinkedIn and sorting the stack of business cards on their desk. Now what.

Have some of the largest retailers been the victims of massive data breach hacks? Yes. Have those attendees of the RSA Conference who downloaded the mobile app been exposed to a potential data leak of their information. Yes.

Meanwhile, Operational Risks exist far beyond Moscone and San Francisco. Have financial institutions been fined by government regulators over alleged violations of the sale of mortgage securities, that lead to the 2008 financial crash? Yes.

Have the age old competitive intelligence tactics evolved into full blown "Industrial Espionage" funded and supported by nation states? Yes.

Has the polar vortex created a vast economic risk for millions of businesses due to adverse weather? Yes.

And the Operational Risks to your organization will continue, that is for certain. How after a week of RSA can you return to your enterprise and know where to begin? What to change. What new initiative to begin. What new vulnerability to remediate. Don't worry, the list will not be getting any shorter. The priorities however may be changing.

So maybe it is time for a new "Consequence Assessment." Here are the key variables for the rows of your matrix:

Loss of life: Likely fatality count.

Economic damage: Estimated costs of the attack or hazard.

Psychological impact: Considerations of change in population behavior toward social functions.

Now, the consequence levels become your columns of the matrix:

0 - None or Negligible

1 - Minor

2 - Moderate

3 - Significant

4 - Catastrophic or Severe

In order to make the consequence assessment relevant and applicable to your business size, industry sector and geographic location, you now need to define each of the cells of the matrix. So as an example, if we go to the matrix cell of Economic Damage / Moderate (2), what is your definition? In the range of $1 billion to $10 billion.

If you are JPMorgan Chase then this may be the case for a consequence of legal liabilities, due to adverse litigation by the U.S. government in the Madoff case:

JPMorgan Chase has been fined more than $2 billion for violations of the Bank Secrecy Act tied to failure to report suspicious activity related to Bernie Madoff's decades-long, multi-billion dollar Ponzi scheme. Madoff was sentenced in 2009 to 150 years in prison for his deception.

The fines against Chase were the result of three settlements. A settlement with the U.S. Attorney's Office for the Southern District of New York included a $1.7 billion penalty; a separate settlement with the Office of the Comptroller of the Currency included a $350 million penalty. Additionally, the Treasury Department's Financial Crimes Enforcement Network fined Chase $461 million for BSA-related violations. But FinCEN determined that its fine was satisfied by Chase's payment to the U.S. Attorney of New York.

If you are a mid-level business enterprise in the software industry that develops an "App" for consumers to file their income taxes online, then the metrics will be different for a moderate consequence of "Economic Damage." Your matrix will be entirely different and fine tuned to what is relevant in your industry sector.

The Loss of Life category will be an interesting exercise. None or Negligible will be zero fatalities. Yet how do you define the difference between minor (1) and moderate (2).

The Psychological Impact category will span:

0 - None or Negligible = No major change in population behavior; no effects on social functioning
to4 - Catastrophic or Severe = Loss of belief in government and institutions; widespread disregard for official instructions; widespread looting and civil unrest

Once you have designed your particular matrix for your size and type of business, the real work begins. You must now begin developing the "Use Cases." What are the scenarios that you will apply to the exercise that will take place next with the effected stakeholders?

In a generic fashion, you will design specific and customized scenarios that address the major business revenue components of your particular enterprise. You are imagining an attack or hazard outcome, that impacts that component of your business. Such as these typical cases:

Earthquake destroys data centers

Tsunami overcomes nuclear reactors

Data hack exposes millions of customers PII

Infectious disease outbreak across work force

Government prosecutes for violations of regulatory laws

Employee sues company for management harassment

New Customer Order Management system launch encounters substantial bugs/failures

After you have cleaned off your desk from a week away at RSA, the work really begins. Start your new "Consequence Assessment" soon. Gather senior executives for an off-site for two days to review the new scenarios you have designed. Get their independent feedback and perception of the variables of your matrix. Ask your Board of Directors for the resources and budgets to address the outcomes and insights from the exercise.

“ Man must be arched and buttressed from within, else the temple will crumble to dust. ”— Marcus Aurelius Antoninius

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke